Title: [114948] branches/chromium/1025
- Revision
- 114948
- Author
- cev...@google.com
- Date
- 2012-04-23 14:50:28 -0700 (Mon, 23 Apr 2012)
Log Message
Merge 113825
BUG=121899
Review URL: https://chromiumcodereview.appspot.com/10202001
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1025/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt (from rev 113825, trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt) (0 => 114948)
--- branches/chromium/1025/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt (rev 0)
+++ branches/chromium/1025/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash-expected.txt 2012-04-23 21:50:28 UTC (rev 114948)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Copied: branches/chromium/1025/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html (from rev 113825, trunk/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html) (0 => 114948)
--- branches/chromium/1025/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html (rev 0)
+++ branches/chromium/1025/LayoutTests/fast/block/float/intruding-float-not-removed-from-next-sibling-crash.html 2012-04-23 21:50:28 UTC (rev 114948)
@@ -0,0 +1,44 @@
+<html>
+<head>
+<style>
+#float1 {
+ float: left;
+}
+#div1 {
+ display: table;
+ padding-top: 1em;
+ padding-bottom: 1em;
+ margin-bottom: 1em;
+ -webkit-margin-before: -100px;
+}
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+_onload_ = function() {
+document.body.appendChild(document.createElement('select'));
+
+float1 = document.createElement('hr');
+float1.setAttribute('id', 'float1');
+document.body.appendChild(float1);
+
+div1 = document.createElement('div');
+div1.setAttribute('id', 'div1');
+document.body.appendChild(div1);
+div1.appendChild(document.createElement('textarea'));
+
+div2 = document.createElement('div');
+document.body.appendChild(div2);
+div2.appendChild(document.createElement('input'));
+
+document.body.offsetTop;
+document.body.removeChild(float1);
+document.body.offsetTop;
+document.body.innerHTML = "PASS. WebKit didn't crash.";
+}
+</script>
+</head>
+<body>
+</body>
+</html>
Modified: branches/chromium/1025/Source/WebCore/rendering/RenderBlock.cpp (114947 => 114948)
--- branches/chromium/1025/Source/WebCore/rendering/RenderBlock.cpp 2012-04-23 21:30:38 UTC (rev 114947)
+++ branches/chromium/1025/Source/WebCore/rendering/RenderBlock.cpp 2012-04-23 21:50:28 UTC (rev 114948)
@@ -4286,26 +4286,21 @@
{
if (!m_floatingObjects)
return;
+
const FloatingObjectSet& floatingObjectSet = m_floatingObjects->set();
FloatingObjectSetIterator end = floatingObjectSet.end();
- for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
- if (logicalBottomForFloat(*it) > logicalHeight()) {
+
+ for (RenderObject* next = nextSibling(); next; next = next->nextSibling()) {
+ if (!next->isRenderBlock() || next->isFloatingOrPositioned() || toRenderBlock(next)->avoidsFloats())
+ continue;
+
+ RenderBlock* nextBlock = toRenderBlock(next);
+ for (FloatingObjectSetIterator it = floatingObjectSet.begin(); it != end; ++it) {
RenderBox* floatingBox = (*it)->renderer();
if (floatToRemove && floatingBox != floatToRemove)
continue;
-
- RenderObject* next = nextSibling();
- while (next) {
- if (next->isRenderBlock() && !next->isFloatingOrPositioned() && !toRenderBlock(next)->avoidsFloats()) {
- RenderBlock* nextBlock = toRenderBlock(next);
- if (nextBlock->containsFloat(floatingBox))
- nextBlock->markAllDescendantsWithFloatsForLayout(floatingBox);
- else
- break;
- }
-
- next = next->nextSibling();
- }
+ if (nextBlock->containsFloat(floatingBox))
+ nextBlock->markAllDescendantsWithFloatsForLayout(floatingBox);
}
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
